086a15fc45
Update global ID
2021-09-02 20:07:03 +02:00
5ad29cf0c2
fix Base backend doesn't support multiple conditions (29)
2021-08-29 09:03:50 +02:00
5b869a3f42
Update cve tags
2021-08-24 10:50:01 +02:00
679651bdf9
Merge pull request #1913 from neu5ron/add_zeek_dce_rpc_printnightmare_print_driver_install
...
Zeek DCE_RPC PrintNightmare
2021-08-24 08:37:02 +02:00
e76c11da7f
Merge pull request #1908 from neu5ron/patch-7
...
improve rule logic zeek_default_cobalt_strike_certificate.yml
2021-08-24 08:36:33 +02:00
293f422243
Merge pull request #1906 from neu5ron/patch-5
...
improve zeek_dce_rpc_smb_spoolss_named_pipe
2021-08-24 08:36:18 +02:00
81ec546e42
Merge pull request #1905 from neu5ron/patch-4
...
improve rule
2021-08-24 08:36:04 +02:00
15aa0cb70e
add modified
2021-08-24 08:02:24 +02:00
4ee4f12f30
add modified
2021-08-24 08:01:01 +02:00
8ab90d8012
add modified
2021-08-24 07:59:36 +02:00
be43ecd70d
Remove empty element in list
...
Otherwise get a `null` when convert to some backend (es-rule,...)
2021-08-24 07:57:16 +02:00
9e588fdcf6
Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups.
2021-08-24 00:58:36 -04:00
b255586117
condition fix and add fields
...
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
2021-08-23 14:59:06 -04:00
064d7b7b9f
improve rule logic zeek_default_cobalt_strike_certificate.yml
...
zeek logging for `certificate.serial` is all letters are capitalized
2021-08-23 14:23:41 -04:00
cfc32e5950
correct fields for zeek_rdp_public_listener.yml
...
correct zeek fields for `fields` section.
improve false positives information
2021-08-23 14:16:55 -04:00
1819e4b02b
improve rule
...
- improve rule logic
- match zeek fields for fields section
- add false positive information
- change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)
2021-08-23 14:12:50 -04:00
feb7d0e187
Update zeek_dns_mining_pools.yml
2021-08-23 14:11:04 -04:00
b00e1772b3
added logic and usage
...
rule logic should be endswith.
match zeek fields for `fields` section
add false positive information
2021-08-23 14:03:38 -04:00
9d3a13b13e
cleanup
2021-08-23 19:04:01 +02:00
4f8bd4a5a2
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
...
try new uuid to pass check...
2021-08-23 11:24:22 -04:00
6aea58b4d2
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
2021-08-23 11:18:51 -04:00
78c667fda1
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
...
shorten title
2021-08-23 11:15:30 -04:00
96e77eb8db
Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
2021-08-23 11:06:44 -04:00
295054dcbe
Replace old mitre techniques by new one
2021-08-22 13:57:56 +02:00
07a87aa7f8
Merge pull request #1858 from frack113/fix_pr718
...
Replace pr718
2021-08-21 18:02:30 +02:00
3283664154
Update remove useless rules
2021-08-19 18:28:44 +02:00
f1a84536c3
update fix
2021-08-19 17:55:41 +02:00
c9128687ee
Spelling Errors on Rules
2021-08-18 18:58:20 +00:00
c3457c9911
fix titles
2021-08-15 19:05:00 +02:00
245cb6d510
fix more errors
2021-08-15 18:55:44 +02:00
12396f615c
remove duplicate rule and fix errors
2021-08-15 16:52:24 +02:00
a75859a976
First commit
2021-08-15 16:00:14 +02:00
db0de126a5
test author for Detection Rule License 1.1
2021-08-14 19:16:36 +02:00
fc64b8b937
Split PR 1802 fix net rules
2021-08-09 17:23:15 +02:00
6d41d538b2
Title fixed
2021-07-11 09:25:33 +02:00
8e010ec60c
Added rule
...
From https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
which weren't already covered by other rules and can be expressed
in Sigma.
2021-07-08 07:59:40 +02:00
685bd490f5
Merge pull request #1573 from d4rk-d4nph3/master
...
Added rule for default cobalt strike certificate
2021-06-25 12:16:31 +02:00
91cc97d099
Fixed the taxonomy
2021-06-24 21:07:52 +05:45
1ebbc6c1a3
Added rule for default cobalt strike certificate
2021-06-23 10:17:27 +05:45
a1bddf51e7
fix typo of falsepositives
2021-05-24 10:31:28 +02:00
0bee1b006f
fix - add date
2021-05-08 21:37:25 -04:00
4152199073
add netbios port exclusion
...
netbios - every defenders nightmare and reality of FPs
2021-05-04 18:27:05 -04:00
d4bd69dd77
Suspicious DNS Z Flag Set
...
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
- 'https://twitter.com/neu5ron/status/1346245602502443009 '
- 'https://tools.ietf.org/html/rfc2929#section-2.1 '
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS '
2021-05-04 18:13:08 -04:00
4abebd98d9
Merge pull request #1418 from SigmaHQ/rule-devel
...
Fixing false positives with newest OSCD rules
2021-04-09 17:26:02 +02:00
3fef2a10b8
Merge branch 'pr-1158'
2021-04-08 23:01:54 +02:00
a10db2df89
Fixes&improvements
2021-04-08 01:06:40 +02:00
00f01ea57f
Merge branch 'master' into rule-devel
2021-04-07 21:17:51 +02:00
6b0f66e876
refactor: change level
2021-03-24 12:38:00 +01:00
6d9fc65585
fix: FPs with www6
2021-03-24 12:37:35 +01:00
a465f2722f
refactor: CobaltStrike beacon rule
2021-03-24 11:29:05 +01:00
frack113